Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    August 2012
    S M T W T F S
    « Jul   Sep »
  • Email Subscription

  • About Us

    Archive for August 16th, 2012

    We were alerted to reports of an exploit targeting the CVE-2012-1535, a vulnerability in Adobe Flash Player to drop a backdoor into the vulnerable system.

    The said exploit masquerades as a .DOC file (detected as TROJ_MDROP.EVL) that possibly arrives as an attachment to email messages. Users who are tricked into opening the said file actually execute the said exploit. Once exploit is successful, it then drops the files %User Profile%Application Datataskman.dll and %User Profile%Local Settings~WORDL.tmp, which are detected by Trend Micro as BKDR_BRIBA.EVL. Said backdoor attempts to make a connection to http://publicnews.{BLOCKED}, possibly to download another file. However, said URL is inaccessible as of this writing.

    Affected Adobe Flash Player versions include 11.3.300.270 and earlier versions for Windows, Mac, and Linux OS. Android OS users need not worry as they are not affected by this vulnerability.

    Trend Micro Smart Protection Network™ detects and deletes all malware related to this attack. It also prevents connections made to related URLs accessed by both malware. Deep Security users are protected via the following rules:

    • 1004114 – Identified Malicious Adobe SWF File
    • 1004647 – Restrict Microsoft Office File With Embedded SWF

    Whenever possible, immediately apply the latest security update released by Adobe. Users should also refrain from opening email messages and downloading attachments coming from unknown resources.

    Update as of August 17, 2012 6:36 AM PST

    Additional Deep Security rules have been issued for customers. Apply the following rules to protect your network against this exploit:

    • 1005154 – Adobe Flash Player Remote Code Execution Vulnerability
    • 1005155 – Adobe Flash Player Remote Code Execution Vulnerability (CVE-2012-1535)

    Coming Soon: The TrendLabs Security Intelligence Blog will be the new Malware Blog

    Posted in Exploits, Malware, Vulnerabilities | Comments Off on CVE-2012-1535 Exploit Leads to Backdoor

    Back when malware were so not rampant, anti-malware software heavily relied on virus signature updates to catch malicious programs. It worked pretty well at that time, and false alarm problems were very rare unless an operational error causes faulty virus signatures to be released publicly.

    In recent years, with the thriving underground economy, we’ve seen malware growing at an exponential rate and its capabilities becoming more complex. This might be because the cybercrime business funds the development of sophisticated malware. Advanced techniques in evasion and covert operations are also characteristics of today’s malware, making it more difficult to detect and trace.

    Faced with these conditions, most anti-malware software vendors continuously innovate to introduce new approaches in detecting more malware, especially malware that have not been spreading yet. Most of the approaches are based on heuristics detection, wherein the anti-malware software analyzes the behavior to determine whether it’s a virus or not. However, the said approach is a double-edged sword: while it helps increase detection rate, it is also prone to lead to false alarms.

    False alarms can really hurt you

    A false alarm, also termed false positive, occurs when a legitimate or clean file is wrongly identified as a malicious or infected file by an anti-malware program.

    In some cases, false alarms can just be mere annoying if it causes warning messages popping on users’ screens. In other cases, however, false alarms can be very destructive — especially when the file is a system file and got deleted because of the false detection (some examples can be found here and here). If this happens in a corporate environment, the impact to the business is costly — productivity suffers while the detection problem is investigated, fixed, restored, recovered.

    How accurate is your AV product?

    In an ideal world, a perfect anti-malware product detects all malware and does not have false alarms. Unfortunately, in the real world, that’s not the case.

    False alarms are actually a common problem for anti-malware products. Realistically, the best protection a good anti-malware product could have is detecting as many malware as possible while keeping false alarms as close to zero as possible. To achieve this, something needs to be done to prevent false alarms.

    Most anti-malware products only passively provide an exception list where users can add already falsely detected programs to so those program files won’t be scanned again. Users can also submit these files to security vendors for further analysis. However, none of these methods are good enough to prevent false alarms from happening.

    Beyond blacklisting

    It is Trend Micro’s priority to provide customers more accurate protection. To achieve this, Trend Micro invests in whitelisting technologies and continuously evolves to boost our protection technologies when most anti-virus vendors still only focus on traditional blacklisting protection.

    As an example, Trend Micro has GRID (Goodware Repository and Information Database). GRID is an extensive repository for all known good software files. These files are collected via partner programs and via automated collection tools. As an expansion of Trend Micro Smart Protection Network, Trend Micro has used GRID since 2009.

    All files are carefully processed and analyzed, ensuring the files’ integrity before being checked into the GRID database. The GRID database also houses software file copies, all file metadata, and contextual file information such as how the file was packaged, origin, and other file associations.

    Trend Micro protects you with quality detection

    With the GRID whitelisting technology, Trend Micro has rich information of not only the bad (malware) files, but the good files as well. This information is used to check all files against the database, ensuring the quality of detection that Trend Micro products provide.

    In addition, Trend Micro products are also capable of in-the-cloud whitelist-checking for files during product scans. If the file is found in GRID, it means the file is safe so the product can stop scanning that particular file and move on to the next file. This happens seamlessly, without the need for the user’s intervention.

    With today’s threat landscape, malware knowledge is no longer enough. The ability to accurately distinguish between the good and the bad plays a significant role in providing superior protection customers. Our innovative whitelisting technology provides this quality protection and is available in most of Trend Micro products for consumers, small/medium businesses, and enterprises.

    Coming Soon: The TrendLabs Security Intelligence Blog will be the new Malware Blog

    Posted in Malware | Comments Off on Catch All the Bad Guys, Not the Good Guys


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice